Re: A Look In the Mirror: Attacks on Package Managers

To: debian-devel@lists.debian.org
Subject: Re: A Look In the Mirror: Attacks on Package Managers
From: Ansgar Burchardt <ansgar@43-1.org>
Date: Sun, 06 Jun 2010 14:50:31 +0900
Message-id: <[🔎] 87k4qc90bc.fsf@marvin.43-1.org>
In-reply-to: <[🔎] 87ljas7mqs.fsf@windlord.stanford.edu> (Russ Allbery's message of "Sat, 05 Jun 2010 22:28:59 -0700")
References: <[🔎] 20100606122827.acb09dd5.mle+debian@mega-nerd.com> <[🔎] 20100606003753.f701e457.michael.s.gilbert@gmail.com> <[🔎] 20100606145810.2ea1ad40.erikd@mega-nerd.com> <[🔎] 87ljas7mqs.fsf@windlord.stanford.edu>

Russ Allbery <rra@debian.org> writes:

> There was some discussion of periodically resigning the security archive
> even if there are no updates so that package managers could warn if more
> than X days had gone by without an update to the security archive
> signatures.  I don't know if anyone has concrete plans to implement that.

The Release file in the repository has now a Valid-Until field that
invalidates the repository after some time without updates. This can be
used to detect a mirror provided outdated packages.

I am not sure whether APT checks this or not. I hope it does.

Regards,
Ansgar

Reply to:

Follow-Ups:
- Re: A Look In the Mirror: Attacks on Package Managers
  - From: Josselin Mouette <joss@debian.org>

References:
- A Look In the Mirror: Attacks on Package Managers
  - From: Erik de Castro Lopo <mle+debian@mega-nerd.com>
- Re: A Look In the Mirror: Attacks on Package Managers
  - From: Michael Gilbert <michael.s.gilbert@gmail.com>
- Re: A Look In the Mirror: Attacks on Package Managers
  - From: Erik de Castro Lopo <erikd@mega-nerd.com>
- Re: A Look In the Mirror: Attacks on Package Managers
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: A Look In the Mirror: Attacks on Package Managers
Next by Date: Re: how to help end-users to increase the life-time of their SSDs
Previous by thread: Re: A Look In the Mirror: Attacks on Package Managers
Next by thread: Re: A Look In the Mirror: Attacks on Package Managers
Index(es):
- Date
- Thread